US2022141192A1PendingUtilityA1

System and Methods for Path-Aware and Path-Assured Secure Virtual Private Lines and Secure Network Slices using Enhanced Digital Certificates in Multi-Vendor Multi-Domain Networks

41
Assignee: SECUREGPriority: Nov 3, 2020Filed: Nov 2, 2021Published: May 5, 2022
Est. expiryNov 3, 2040(~14.3 yrs left)· nominal 20-yr term from priority
H04L 9/3263H04W 12/009H04L 63/0823G06F 21/606H04W 12/102H04L 63/1425H04W 12/069H04L 63/0861H04L 63/105H04L 2463/082H04L 63/20H04L 63/0272G06F 21/335
41
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods of configuring path-aware point to point secure network private lines over multi-domain, multi-operator virtual and physical networks through network elements that are compliant with PKI Digital Certificates (eDC) with metadata enhancements are disclosed. Secure Network Slices (SNS) may then be constructed by interconnecting SVPLs through a network aggregation device such as switch/bridge/router which allows different network policies on different segments of the network. A Digital Trust Broker is disclosed that bridges between multiple Authentication/Authorization frameworks of an enterprise and the security frameworks of multiple operators and service providers that provide Secure Virtual Private lines and Secure Network Slices. Additionally, the methods that identify that any traffic exchange with internet or between differing levels of SNS or SVPLs go through enhanced security bridge that enforces policies of high security enterprise are also disclosed.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method of creating a Secure Network Slice, which is a multi-point secure network, comprising:
 creating a plurality of secure virtual private lines, wherein creating each secure virtual private lines comprises:
 determining one or more forwarding paths through the network that connects two points; 
 querying each network device along each of the one or more forwarding paths to determine if each network device is trust assured and comprises an enhanced digital certificate, wherein the enhanced digital certificate comprises metadata regarding a provenance of the network device; 
 defining the secure virtual private line as a forwarding path between the two points wherein each network device in the forwarding path has an enhanced digital certificate having desired parameters; and 
   using an aggregation device to connect two or more secure virtual private lines to create the Secure Network Slice.   
     
     
         2 . The method of  claim 1 , wherein the multi-point secure network comprises at least one of an enterprise network, a cloud provider, a communications service provider, a SDN, physical/virtual network segment, a 5G radio access network and a 5G core network. 
     
     
         3 . The method of  claim 1 , wherein the metadata is selected from the group consisting of hardware or software make; hardware or software model or release; a region where the network device is manufactured; and a location where the network device is manufactured. 
     
     
         4 . The method of  claim 1 , wherein the metadata comprises geolocation information regarding where the network device is deployed. 
     
     
         5 . The method of  claim 1 , wherein the metadata comprises a list of security policies supported by the network device. 
     
     
         6 . The method of  claim 1 , wherein the two of more secure virtual private lines are at different security levels and the aggregation device comprises an enhanced security bridge. 
     
     
         7 . The method of  claim 1 , wherein a mobile device is configured to access the secure network slice, and the mobile device comprises an enhanced digital certificate and authenticates a user of the mobile device prior to allowing access to the secure network slice. 
     
     
         8 . The method of  claim 7 , wherein the user is authenticated using at least one of multi-part authentication, device screen lock pass code, speaker recognition, fingerprint recognition, and facial recognition. 
     
     
         9 . A method of maintaining security in a Secure Network Slice, which is a multi-point secure network, comprising:
 creating a Secure Network Slice, wherein the Secure Network Slice includes an enhanced security bridge, wherein the enhanced security bridge serves an interface between other devices in the Secure Network Slice and the internet; and   forcing any traffic from the Secure Network Slice to or from the internet to pass through the enhanced security bridge.   
     
     
         10 . The method of  claim 9 , wherein the enhanced security bridge is configured to perform deep packet inspection. 
     
     
         11 . The method of  claim 9 , wherein the enhanced security bridge only allows traffic at a certain security level to access the internet. 
     
     
         12 . The method of  claim 9 , wherein the enhanced security bridge allows only certain end points to access the internet. 
     
     
         13 . A Digital Trust Broker, comprising a plurality of functional software modules;
 wherein the Digital Trust Broker is adapted to interact with an Operations and Management Platform (OMP) associated with an external operator to create and maintain a Secure Network Slice, wherein the Secure Network Slice is a logical network in a multi-domain network.   
     
     
         14 . The Digital Trust Broker of  claim 13 , wherein when a user session attempts to access the Secure Network Slice, the Digital Trust Broker validates the user. 
     
     
         15 . The Digital Trust Broker of  claim 13 , wherein when a user session attempts to access the Secure Network Slice, the Digital Trust Broker interacts with consumer premise equipment (CPE) to obtain security policy metadata of a Slice Certificate, and based on the Slice Certificate, determines which applications and departments of an enterprise are allowed to access the Secure Network Slice. 
     
     
         16 . The Digital Trust Broker of  claim 13 , wherein the Digital Trust Broker gathers device forwarding behavior for specific interfaces in the Secure Network Slice, and based on historical information, detects an anomaly in an operation of the device. 
     
     
         17 . The Digital Trust Broker of  claim 16 , wherein the Digital Trust Broker monitors packet volume, byte volumes, frequency, IO Read, IO Activity generated during a session, for each client server interaction by a user and user device. 
     
     
         18 . The Digital Trust Broker of  claim 13 , wherein, after the Secure Network Slice has been created, the Digital Trust Broker creates new transit paths due to configuration changes. 
     
     
         19 . The Digital Trust Broker of  claim 13 , wherein, after the Secure Network Slice has been created, the Digital Trust Broker revalidates each device in the Secure Network Slice.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.